b'\x0c      INSPECfOR GENERAL\n\n\n\n\n      UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                            WASHINGTON, D.C. 20436\n\n\nSeptember 17, 1992\n\n\n                      UVIDf 01\' usncts LOCAL AlIA MI11IOIlt\n                         ADMINISr"\'!\'ION AND cotmlOLS\n\n\n\nDuring the last few years, the Commission has invested a substantial amount of\nmoney and effort into automating agency functions and specifically in\nimplementing the Local Area Network (LAN). The overall objective of this review\nwas to determine whether the Commission has implemented a program that ensures\neffective management and operation of the LAN system.\n\nThis review was conducted by Cotton & Company in accordance with the Government\nAuditing Standards issued by the Comptroller General of the United States. The\nresults of their review are presented as an attachment to this report. They\nfound that the Commission\'s procedures were sufficient, in all material respects,\nto provide for effective LAN administration and control.\n\nThe auditors had the following findings:\n\n            Dial-up telephone access to the LAN is not properly secured;\n\n            The LAN files for two offices are not backed up on weekends;\n\n            A policy does not exist establishing a frequency standard for virus\n            checking and the practice throughout the Commission is inconsistent;\n\n            A formal system or procedures does not exist to identify the type\n            and number of software packages purchased or in use which is needed\n            to demonstrate compliance with Federal licensing statutes;\n\n            A policy statement does not exist concerning the unauthorized use\n            or duplication of copyrighted software;\n\n            A disaster recovery or contingency plan does not exist for offsite\n            operation of the LAN in the event of a catastrophic incident; and\n\n            The LAN administrator\'s internal control responsibilities are not\n            set forth in a formal statement.\n\x0cThree matters were noted for management\'s consideration. 1) Electronic access\nkeys issued to employees are not routinely deactivated upon termination of\nemploYment. 2) The LAN user manual does not contain current and complete user\ninformation.   3) Commission employees not in the Office of Administration\nreported a deterioration in the quality of LAN support, which we attribute at\nleast in part to the extended vacancy of the Chief position in the Office\nAutomation and Support Division.\n\nRecommendations relating to the findings are presented on pages 6 through 8 of\nthe report.    In summary, we recommend that the Director of Administration\nimplement appropriate policies and procedures or take other needed actions\nconcerning call-back controls, weekend backups, virus scans, software inventory,\nunauthorized copying of software, disaster recovery (contingency) plans, and LAN\ninternal controls.\n\nThe Director of Administration generally agreed with the findings and\nrecommendations. A summary of the Director\'s comments on the findings and our\nresponses are presented on page 8 of the report. The Director\'s comments are\npresented in their entirety as an appendix to the report.\n\n\n                                     ~\n                                  ~:~ E.     Altenhofe\n                                     Inspector General\n\nAttachment\n\x0c                         TABLE OF CONTENTS\n\n\nAttachment   Report on the Review of the USITC\'s Local Area Network\n             Administration and Controls\n\nAppendix     Memorandum from Director, Office of Administration,\n             dated August 12, 1992, on Draft Report\n\x0c                                                         Attachment\n\n\n\n\n                                  REPORT ON THE REVIEW OF THE\n                                          UNITED STATES\n                               INTERNATIONAL TRADE COMMISSION\'S\n                                       LOCAL AREA NETWORK\n                                  ADMINISTRATION AND CONTROLS\n\n\n\n\nPrepared by:\n\n\nCotton & Company\nCertified Public Accountants\nAlexandria, Virginia\n\x0c                                  COTTON Ptmuc\n                                         &COMIJ\\NY       CERTIFIED                  ACCOUNTANTS\n\n                       100 Scum RoYAL STREET \xe2\x80\xa2 A1EANDRIA, VIRGINIA 22314 \xe2\x80\xa2 (703) 836-6701 \xe2\x80\xa2 TaocoPIER: (703)836-0941\n\nDAVlD L COTI\'ON, CPA                   8RENoA N. 8uRzENsK1, CPA                               ROBERT  L Fi...EsHER., CPA      CATIiEJlINE   L NOCERA., CPA\nCHARLES HAYWARD, CPA                   MJCHAEL W GIl.USPIE. CPA                                KEVIN P McFADDfN, CPA          Ei..uN P REm. CPA\n\n\n\n\n                                                                     June 4, 1992\n\n\n          Ms. Jane E. Altenhofen\n          Inspector General\n          United States International Trade Commission\n          500 E Street, SW\n          Washington, DC 20436\n\n          Dear Ms. Altenhofen:\n\n               We reviewed the United States International Trade Commission\'s (ITC)\n          policies and procedures for managing its Local Area Network (LAN). Our\n          overall objective was to determine if ITC has implemented a program that\n          ensures effective management and operation of the LAN system. Specific\n          objectives were to determine if ITC:\n\n                   \xe2\x80\xa2       Administrative Management: Effectively performs the basic\n                           management functions of planning, organizing, directing, and\n                           controlling LAN resources.\n\n                   \xe2\x80\xa2       Configuration Management: Maintains adequate documentation\n                           concerning the components and configuration of its LAN, imple-\n                           ments and enforces standards for network components and config-\n                           urations, and adequately controls changes to network components\n                           and configurations.\n\n                   \xe2\x80\xa2       Managing Network Availability and Performance: Establishes\n                           effective methods and procedures to ensure that network re-\n                           sources are available to users to the maximum extent needed and\n                           that network resources perform with needed speed, efficiency,\n                           and accuracy.\n\n                   \xe2\x80\xa2       Application Management: Maintains adequate documentation on\n                           its application software, implements standards and enforces\n                           licensing and copyright restrictions for software, and controls\n                           changes to its applications software.\n\n                   \xe2\x80\xa2       User Support: Provides effective user support through train-\n                           ing, ongoing technical support, and an information exchange\n                           program.\n\n\n\n\n                                      MEMBER:   AMaucAN lNS1TT1.JTE OF   CERTIF1ED PUBUC ACCOll/lITANTS, DtvtSJON FOR FIRMS\n\x0c     \xe2\x80\xa2    Cost: Maintains a control system that monitors LAN costs and\n          determines the actual costs incurred to acquire, install, and\n          operate the LAN.\n\n     \xe2\x80\xa2    Security: Provides effective security over LAN information\n          resources through a formal ADP security program incorporating\n          written policies and procedures that meet Federal laws and\n          regulations.\n\n     We performed our review in accordance with generally accepted Government\nauditing standards. Our review included the tests and procedures we deemed\nnecessary to meet the review objectives described above.\n\n     Our review was made for the limited purpose described above and, as such,\nwould not disclose all material weaknesses in lTC\'s internal control system.\nAccordingly, we do not express an opinion on lTC\'s internal control system\ntaken as a whole.\n\n     Based on our review for the limited purposes described above, lTC\'s\nprocedures were sufficient, in all material respects, to provide for effective\nLAN administration and control. Our review did, however, disclose several\nconditions that we believe warrant corrective action. In addition, we noted\ncertain other matters for management\'s consideration. The review results are\ndescribed in detail in the accompanying report.\n\n     We discussed our review results with the Director, Office of Information\nResource Management (OIRM); the acting chief of Office Automation Support\nDivision; the senior network administrator; the special assistant for OIRM\nplanning; and other headquarters personnel responsible for the overall\nmanagement of lTC\'s LAN.\n\n     The accompanying report is intended solely for lTC\'s information and use\nand should be used for no other purpose.\n\n                                      Very truly yours,\n\n                                      COTTON & COMPANY\n\n\n\n                                By:                            _\n                                      Kevin P. McFadden, CPA\n\x0c                             CONTENTS\n\n\n\n\n1   INTRODUCTION                              1\n    Background                                1\n    Objective                                 2\n    Scope                                     2\n    Methodology                               2\n\n2   REVIEW RESULTS                            4\n    Findings                                  4\n    Other Matters for Consideration           6\n    Recommendations Regarding Findings        6\n    Suggestions Regarding Other Matters for\n      Consideration                           8\n\n    APPENDIX\n    Commission\'s Response\n\x0c                          REPORT ON THE REVIEW OF THE\n                UNITED STATES INTERNATIONAL TRADE COMMISSION\'S\n                LOCAL AREA NETWORK ADMINISTRATION AND CONTROLS\n\n                            PART 1.   INTRODUCTION\n\n\n     In this part, we discuss the review background, objective, scope, and\nmethodology.\n\n\nBACKGROUND\n\n     The United States International Trade Commission (ITC) is an independent\nFederal agency with six commissioners, a staff of about 500, and Fiscal Years\n(FY) 1991 and 1992 budgets of $40,299,000 and $42,434,000, respectively.\n\n     During the past few years, ITC has invested a substantial amount of money\nand effort into automating agency functions. Virtually every employee has a\npersonal computer linked to the Local Area Network (LAN) system, which became\noperational in 1988. 1 The primary LAN system is Banyan Vines. The Office of\nTariff Affairs and Trade Agreements (TATA) is currently connected to two LAN\nsystems, the Banyan Vines and Novell; the latter is in the process of being\nphased out. In December 1991, ITC issued A Five-Year Plan for Information\nResources Management that outlines major changes planned for the LAN.\n\n     As of January 1992, the general-purpose LAN consisted of 11 Banyan file\nservers and approximately 470 personal computers as\xc2\xb7workstations. The system\nincludes two modem pools offering dial-out service to other facilities. A\nlimited dial-in service is also provided.\n\n     The LAN supports a variety of office automation functions including word\nprocessing, electronic mail, spreadsheets, and end-user data-base applica-\ntions. The system contains unclassified and sensitive information, such as\nconfidential (proprietary) business information. Applications software\nincludes WordPerfect, Lotus Networker, dBase III, and Harvard Graphics. Users\nare given LAN training and a guide prior to using the system.\n\n     As set forth in USITC Directive 1028.1, dated April 21, 1991, the Office\nof Information Resources Management (OIRM) is responsible for coordinating and\nmaintaining lTC\'s data collection, statistical support, public reporting, and\ninformation processing activities. Within DIRM, the Office Automation Support\nDivision is responsible for all network administration and office automation\ntechnical support. The network administration includes all LAN connectivity\nand communications interfaces with computer service bureaus and mainframes,\nnetwork hardware, software, maintenance, cabling, user support, and standards.\n\n\n\n\n     IA LAN is a geographically confined computer-based communication system\ncapable of transmitting information or data between stations.\n\n                                      1\n\x0cTechnical support includes the installation, maintenance, and support for a\nwide range of end-user software and providing end-users with supplies and\nservices as needed.\n\n\nOBJECTIVE\n\n     The overall objective of this review was to determine if ITC has imple-\nmented a program that ensures effective management and operation of the LAN\nsystem. The objective encompasses the following elements:\n\n     \xe2\x80\xa2      Administrative management\n     \xe2\x80\xa2      Configuration management\n     \xe2\x80\xa2      Managing network availability and performance\n     \xe2\x80\xa2      Application management\n     \xe2\x80\xa2      User support\n     \xe2\x80\xa2      Cost\n     \xe2\x80\xa2      Security\n\n\n\n\n     We conducted our review at ITC headquarters in Washington, DC, from May 5\nto June 4, 1992.\n\n      We conducted numerous discussions with the senior network administrator\nand the special assistant for OIRM planning. We also met with other ITC\npersonnel responsible for the overall management of "lTC\'s LAN, including\nrepresentatives from the Offices of Industries, Investigations, Economics, and\nTATA.\n\n\nMETHODOLOGY\n\n     We gathered data for our review through interviews and analyses of\npolicies, documents, and reports determined to be important to the process of\nmanaging lTC\'s LAN.\n\n     The major guidelines and operating regulations we used to evaluate the\nmanagement and administration of lTC\'s LAN included the following criteria:\n\n     \xe2\x80\xa2      Office of Management and Budget (OMB) Circular A-II, Prepa-\n            ration and Submission of Budget Estimates, Section 43: Data on\n            Acquisition, Operation, and Use of Information Technology\n            Systems.\n\n     \xe2\x80\xa2      OMB Circular A-l30, Management of Federal Information Resourc-\n            es.\n\n     \xe2\x80\xa2      General Services Administration\'s (GSA) Federal Information\n            Resources Management Regulation (FIRMR) , Part 201-7, Security\n            of Information Resource Systems.\n\n                                         2\n\x0c     \xe2\x80\xa2    GSA\'s FIRMR Part 201-19, Section III, IRH Review Handbook,\n          "Management of IRK Activities."\n\n     \xe2\x80\xa2    5 Code of Federal Regulations, Subpart C, Section 930.301,\n          Training Requirement.\n\n     \xe2\x80\xa2    U.S. Department of Commerce National Bureau of Standards\'\n          Federal Information Processing Standards Publication No. 112,\n          "Password Usage."\n\n     \xe2\x80\xa2    Computer Security Act of 1987 (Public Law 100-235, Section 5).\n\n     \xe2\x80\xa2    Office of Personnel Management\'s Federal Personnel Hanual,\n          Chapter 732, "Personnel Security."\n\n     \xe2\x80\xa2    18 USCS \xc2\xa71030, pages 291-293, "Fraud and False Statements."\n\n     \xe2\x80\xa2   Robert R. Moeller\'s Computer Audit, Control, and Security;\n         Wiley, 1989; Chapter 4, "Controls in the Distributed Network,"\n         and Chapter 11, "Auditing End User Computing General Controls."\n\n     \xe2\x80\xa2    ITC Guidelines:\n\n          \xe2\x80\xa2    Directive 1028.1, Office of Information Resources Manage-\n               ment Mission and Function Statement, dated April 21, 1991.\n\n          \xe2\x80\xa2    Directive 7102.1, Guidelines for Using the USITC Local\n               Area Network for Electronic Mail and Bulletin Board Pur-\n               poses, dated January 8, 1990.\n\n          \xe2\x80\xa2    Directive 1360, Automated Data Security Procedures, dated\n               June 27, 1988.\n\n          \xe2\x80\xa2    Administrative Notice ITC-N-600l, Eating, Drinking, and\n               Smoking While Operating ADP and Wang Equipment, dated\n               November 28, 1986.\n\n          \xe2\x80\xa2    Administrative Announcement USITC FY-91-40, Issuance of\n               Identification Badges and Access to the Local Area Net-\n               work, dated May IS, 1991.\n\n     The review was conducted in accordance with the Comptroller General\'s\nGovernment Auditing Standards (1988 revision).\n\n\n\n\n                                      3\n\x0c                          REPORT ON THE REVIEW OF THE\n                UNITED STATES INTERNATIONAL TRADE COMMISSION\'S\n                LOCAL AREA NENOn ADMINISTRATION AND CONTROLS\n\n                            PART 2: REVIEW RESULTS\n\n\n     Our findings, other matters for consideration, conclusions, and recommen-\ndations are discussed in this part.\n\n\nFINDINGS\n\n     We noted certain conditions related to the management and administration\nof lTC\'s LAN that warrant management\'s attention. These conditions are\ndiscussed below:\n\n1.   Dial-in telephone access into the LAN is not properly secured. When a\n     processing system provides "dial-in" access, industry standards stipulate\n     that certain control features be used, including a dial-back system or\n     similar modem restriction. ITC Directive 1360, Chapter B, Section 6,\n     requires that dial-in access to stand-alone microcomputers containing CBl\n     (Confidential Business Information) "contain additional securityl\n     communications software which prompts the user for a sign-on password and\n     activates a dial back feature." The !.AN contains CBI.\n\n     At present, the potential exists for compromise of LAN security. We\n     documented one case where an individual has dial-in access to the LAN via\n     a modem on the workstation without the dial-back feature being activated.\n     This same individual has complete access to all records, documents, and\n     data stored on a file server.\n\n     An unknown number of additional LAN users currently   maintain dial-in\n     access. LAN administrators do not know if they are    using the dial-back\n     feature. Further, it is possible for an individual    user with a dial-in\n     modem to completely bypass LAN security without LAN   administrators being\n     aware of it.\n\n     Prior to our review, OIRM recognized this problem and proposed a solu-\n     tion. We have incorporated certain aspects of its proposal into our\n     recommendation.\n\n2.   Because of the amount of work done on weekends, ITC has identified a need\n     for a weekend back-up service. All file servers on the LAN have their\n     weekend files backed up except for the Offices of Industries and Investi-\n     gations. These offices have specifically requested weekend backup\n     service; they have, however, denied OIRM access to the file servers\n     because of the sensitive nature of the files. Without this access, OIRM\n     cannot provide the needed weekend backup service. ITC Directive 1028.1\n     makes OIRM responsible for prOViding this service.\n\n\n\n                                      4\n\x0c3.   ITC does not have a policy describing a frequency standard for virus\n     checking. Without a standard t no procedure exists to determine if the\n     file servers\' scanning frequency is adequate.    The file servers support-\n     ed by OIRM are scanned 5 days a week, the Office of Investigations scans\n     twice a week, and\xc2\xb7 the Office of Industries every 3 days. Without access\n     to all file servers (as discussed in Finding No.2), OIRM cannot provide\n     standardized virus checking. ITC Directive 1028.1 makes OIRK responsible\n     for providing this service.\n\n4.   ITC has no formal system or procedures to identify the type and number of\n     software packages purchased or in use. Purchased software is not tracked\n     in the personal property (or other control) system. As such, it cannot\n     demonstrate compliance with Federal licensing statutes. A related\n     negative effect of this condition is that ITC could lose available\n     discounts when software upgrades are purchased, if it is unable to\n     identify and document the number of original units purchased.\n\n5.   No formal ITC statement of policy exists concerning the unauthorized use\n     or duplication of copyrighted software by ITC employees. The US Code,\n     Chapter 5, Copyright Infringement and Remedies, Title l7 Copyrights,\n                                                              t\n\n     states: "Anyone who violates any of the exclusive rights of the copy-\n     right owner ... is an infringer of the copyright." Computer software by\n     its nature is easily duplicated. ITC has considered the need for such a\n     directive, but the responsible parties have been unable to agree on the\n     directive\'s content and wording. Without such a directive, ITC may\n     become responsible if employees violate the copyright law.\n\n6.   ITC has no disaster recovery or contingency plan for offsite operation of\n     the LAN in the event of a catastrophic incident. ITC has identified the\n     need for a disaster recovery or contingency plan in its 5-year plan, A\n     Five-Year Plan for Information Resources Management.  Although the 5-year\n     plan identified a June 30, 1992, milestone for a plans and procedures\n     handbook for disaster recovery/contingency operation, ITC management\n     indicated that planning is in the nearly developmental stages. 1I\n                                                                      Without\n     its LAN capability, ITC would have difficulty carrying out its statutory\n     responsibilities.\n\n7.   ITC has no formal statement of the LAN administrator\'s internal control\n     responsibilities. Presently, lTC\'s primary LAN system (Banyan Vines)\n     produces various summaries of user and system status and activity. The\n     senior network administrator periodically reviews the on-line logs to\n     ensure that certain administrative tasks have been accomplished; however,\n     this is only done when time permits. ITC should have a formal internal\n     control plan for its LAN that includes procedures designed to prevent, at\n     a minimum, destruction of data, data security degradation, and unautho-\n     rized access to CBI.\n\n\n\n\n                                       5\n\x0cOTHER MATTERS FOR CONSIDERATION\n\n     We noted certain other matters that the Director of Administration,\nshould consider for action. These follow:\n\n1.   Electronic access keys issued to employees are not routinely deactivated\n     upon termination of employment. ITC has no policy to routinely deacti-\n     vate the electronic keys at the time of employee termination. FIRMR Part\n     20l-7.105(d)(l) requires that authorized personnel be positively identi-\n     fied through the use of local access control procedures. As part of our\n     review, we identified former employees on the access list to the computer\n     room.\n\n2.   The USITC LAN Training user manual does not contain current and complete\n     user information. As such, LAN users do not have access to sufficient,\n     current documentation concerning lTC\'s policies and procedures regarding\n     its LAN operations. As a result, users may be unaware of policies and\n     procedures regarding LAN use, it may take more time for them to become\n     proficient in using the LAN, and they may never learn to use some of its\n     features.\n\n3.   During our interviews of selected LAN file servers and users, certain\n     respondents reported a deterioration in the quality of LAN support\n     services. Because of a hiring freeze, the position of Chief, Office\n     Automation Support Division, is vacant. OIRM staff have attempted to\n     perform the necessary duties in the interim.\n\n\nRECOMMENDATIONS REGARDING FINDINGS\n\n     Our recommendations to strengthen policies and procedures related to the\nFindings section are presented below. These recommendations are in the same\norder in which the findings were presented.\n\n1.   The Director of Administration should instruct the Director, OIRM, that\n     all dial-in modems should use the dial-back control feature. Directive\n     1360 should be revised, updated, and clarified.\n\n     Modem restrictions should be employed for incoming calls to the LAN.\n     Specifically, dial-in access to the LAN should be permitted only through\n     a bank of personal computers set up in the computer room that run\n     software that requires: (1) a password for connection, (2) activation of\n     a dial-back facility, and (3) automatic capture of user identification\n     for anyone using the facility. Activity should be logged and monitored\n     on this bank of personal computers, and questionable log entries should\n     be investigated.\n\n2.   The Director of Administration, working with the Director of Operations,\n     should make arrangements for OIRM to be granted, at a minimum, "read-\n     only" access to perform weekend backups in accordance with its respon-\n     sibility under ITe Directive 1028.1.\n\n\n                                      6\n\x0c3.   The Director of Administration. working with the Director of Operations.\n     should make arrangements for OIRM to be granted. at a minimum. read-only\n     access to perform virus scans in accordance with its responsibility under\n     ITC Directive 1028.1.\n\n4.   The Director of Administration should instruct the Director, DIRM. to\n     complete an inventory of each software package purchased and the number\n     of copies currently in use. ITC is planning to upgrade the entire LAN\n     over the next 12 to 18 months. As part of the upgrade, ITC plans to\n     acquire upgraded versions of much of the software currently in use. To\n     obtain the upgrade price for the new software, ITC must be able to\n     document how many copies of each package have been purchased.\n\n     ITC should consider developing a formal system for identifying. counting.\n     and controlling the number of copies of software on the LAN. The system\n     should be capable of documenting compliance with Federal licensing\n     standards and readily identifying the type and number of software\n     packages purchased.\n\n5.   The Director of Administration should issue a directive prohibiting the\n     unauthorized copying of copyrighted software. The directive might\n     consist of nothing more than a statement to the effect that "ITC adheres\n     to the tenants of United States Code, Title 17, which expressly prohibits\n     unauthorized duplication of copyrighted materials."\n\n6.   The Director of Administration should assess the status of the disaster\n     recovery (contingency) plan\'s development and take action to see that the\n     project is completed expeditiously.\n\n7.   The Director of Administration should instruct the Director, DlRM, to\n     standardize and document procedures for the routine checking of LAN-\n     produced lists and summaries. This should include the procedures\n     currently conducted informally by the senior network administrator and\n     OIRM staff to ensure effective internal control as well as any additional\n     tasks OIRM considers necessary.\n\n     The following additional checks should be considered for inclusion:\n\n     \xe2\x80\xa2    A periodic check of logs to identify unusual cases of unautho-\n          rized access attempts.\n\n     \xe2\x80\xa2    A periodic check of LAN account "last access" dates to identify\n          and explain accounts left idle for long periods of time.\n\n     \xe2\x80\xa2   A periodic check of account access privileges to ensure that no\n         individual is allowed inappropriate access rights.\n\n     At a minimum. the procedures should specify an internal control objective\n     and plan for the LAN, the minimum frequency of completion of the control\n     tasks, and the individual who is responsible for each task. Performance\n\n\n\n                                      7\n\x0c     standards should be altered to reflect these new responsibilities.\n     Third-party software may be available to automate many of these routine,\n     repetitive processes.\n\n\nCommission Comments\n\n     The Director of Administration responded in writing to our recommenda-\ntions (see appendix). He agreed with our recommendations and provided\ncomments on the actions taken and those that are planned. These actions\nshould result in improved administration and control over lTC\'s LAN.\n\n\nSUGGESTIONS REGARDING OTHER HATTERS FOR CONSIDERATION\n\n     Our suggestions regarding other matters for consideration are presented\nbelow.\n\n1.   The Director of Administration should instruct the Director, Office of\n     Management Services, to implement a policy of deactivating electronic\n     access keys upon termination of employment. All keys belonging to former\n     employees should be assembled and deactivated.\n\n2.   The Director of Administration should instruct the Director, OIRM, to\n     upgrade the USITC LAN Training to include, at a minimum, the topics\n     listed under the caption, "Network Training." The manual should also\n     include copies of policies or directives that users might require.\n\n\nCommission Comments\n\n     The Director of Administration responded in writing to our suggestions\nregarding other matters for consideration (see appendix). He agreed with our\nsuggestions and provided comments on the actions taken and those that are\nplanned. These actions should result in improvements regarding the adminis-\ntration and control over lTC\'s LAN.\n\n\n\n\n                                      8\n\x0c                                                               Appendix\n\n\n                                                        AD-p-S28\n\n\n\n\n                        . --.:.,: .1"\n                                        _.\'   ~.   I)\n\n\n\n\nAugust 1.2, 1.992\n\n\nMEMORANDUM\n\n\nTO:           inspector General                                       ,\n\nF1l.OM:     ~irector,     Office of Administration       fYJrrJ~\nSUBJECT:      Draft Report, \xc2\xb7Review of USITC\'s Local Area\n              Network Administration and Controls n\n\nAs requested by your memorandum dated July 16, 1992\n(IG-P-038), submitted herewith is the Office of\nAdministrationls response to the subject draft audit\nreport issued July 16, 1992. In accordance with Section\n11 of the USITC Directive 1701, the Commissioners have had\nan opportunity to comment on the response and the Chairman\nhas approved it with modifications.\n\nThe Office of Administration agrees with all the audit\nrecommendations. The attached response includes the\nactions to be taken and the target completion dates.\n\nPlease call me at 20S-3131 or Bill Stuchbery at 20S-3135\nif you have any questions.\n\n\nATTACHMENTS\n\ncc:       Director, Office of Information Resources Management\n          Director, Office of Management Services\n\x0c            ADMINISTRATION\'S COMMENTS ON THE DRAFT REPORT\n\nRECOMMENDATIONS REGARDING PINDINGS\n\n\nRECOMMENDATION:\n\n1.   The Director of Administration should instruct the Director,\n     OIRM that all dial-in modems should use the call-back\n     control feature. Directive 1360 should be revised, updated,\n     and clarified.\n\n     Modem restrictions should be employed for incoming calls to\n     the LAN. Specifically, dial-in access should be pe~itted\n     only through a bank of personal computers set up in the\n     computer roam that run software that requires: (1) a\n     password for connection, (2) activation of a dial-back\n     facility, and (3) automatic capture of user identification\n     for anyone using the facility.  Activity should be logged\n     and monitored on this bank of personal computers, and\n     questionable log entries should be investigated.\n\nRESPONSE:    AGREE\n\nRevision of Directive 1360 was started as part of the\nAdministration1s directives update procedure and prior to the IG\nconducting a study on LAN Administration and Controls. There is\na chronology of events associated with the completion of the\nrevision of Directive 1360 in that it cannot be completed until\nother recommendations are implemented and procedures written to\nbe incorporated in the Directive. Therefore the revision to\nDirective 1360 is scheduled to be completed 30 days after the\ncompletion of the -dial-in/call back" system as identified\nbelow.\n\nTARGET COMPLETION DATE:    January 29, 1993\n\nWorking with the Information Security Committee, OIRH will\ninstitute a central network dial-in facility with call-back,\npassword, and capture of user ID to be installed in the ITC\nComputer Roam. Logs of use will be periodically reviewed. All\nCommission-owned copies of "Carbon-Copy\xc2\xb7, \xc2\xb7Pc-AnyWhere\xc2\xb7, and any\nother software which allows dial-in access to individual PCs with\nmodems will be collected by OIRH. This procedure will be\nincorporated into Directive 1360 and will state that users are\nnot allowed to dial-into their individual PCs.\n\n A target completion date of 12/31/92 has been chosen since\n software must be purchased and PCs which will be turned in as a\n result of the ORB II purchase (approved August 3, 1992) will be\n used for the central network dial-in facility. Once the "dial-\n in/call back" system has been fully tested and tmplemented, the\n procedures will be incorporated into Directive 1360.\n\x0cTARGET COMPLETION DATE:   December 31, 1992\n\n\nRECOMMENDATJ;ON:\n\n2.   The Director of Administration~ working with the Director of\n     Operations, should make arrangements for OIRM to be granted,\n     at a min~um, "read-only\xc2\xb7 access to perform weekend backups\n     in accordance with its responsibility under ITC Directive\n     1028.1\n\nRESPONSE:   AGREE\n\nThe Directors of Administration and Operations should work out an\nagreement whereby the Director of Operations will instruct the\nDirectors of Industries and Investigations to place OIRH\'s Senior\nNetwork Administrators on their Server Adminlists.  (OIRH will\nthen take ~ediate action to include those offices in the\nalready established week-end back-up procedures.)\n\nTARGET COMPLETION DATE:   October 30, 1992\n\n\nRECOMMENDATION:\n\n3.   The Director of Administration, working with the Director of\n     Operations, should make arrangements for OIRM to be granted,\n     at a min~um, "read-only" access to perfo~ virus scans in\n     accordance with its responsibility under ITC Directive\n     1028.1\n\nRESPONSE:   AGREE\n\nThe Director of Operations should instruct the Directors of\nIndustries and Investigations to place OIRH\'s Senior Network\nAdministrators on their Server Adminlists.  (OIRH will take\n~ediate action to include those offices in OIRM\'s established\nvirus scanning procedures.)\n\nTARGET COMPLETION DATE:   October 30, 1992\n\n\nRECOMMENDATION:\n\n4.    The Director of administration should instruct the Director,\n      OIRM, to complete an inventory of each software package\n      purchased and the number of copies currently in use. ITC is\n      planning to upgrade the entire LAN over the next 12 to 18\n      months. As part of the upgrade, ITC plans to acquire\n      upgraded versions of much of the software currently in use.\n      To obtain the upgrade price for the new software, ITC must\n      be able to document how many copies of each package have\n      been purchased.\n\x0c     ITC should consider developing a fo~l system for\n     identifying, counting, and controlling the number of copies\n     on the LAN\'. The system should be capable of documenting\n     compli~ce with Pederal licensing standards and readily\n     identi~ying the type and number of software packages\n     purchased.\n\nRESPONSE:   AGREE (with Qualification)\n\nThe OIRK network administrators will develop an inventory system\nfor all purchased software used on the \'network \'\xe2\x80\xa2 This inventory\nwill be updated as new software is purchased and include\noffice/individual initially issued software (if standalone copy)\nor server loaded on (if LAN copy). OIRM will track the\ndevelopment of third party, Banyan compatible, network tools for\nsoftware control and consider implementing when an appropriate\npackage is identified.\n\nTo the extent possible. OIRM will research and acquire software\nto scan individual PCs for all software in use. including that\nsoftware acquired prior to the new inventory being established.\nCompletion of this task for Cbe entire Network will also require\nthe Director of Operations to instruct the Directors of\nIndustries and Investigations to place OIRMls Senior Network\nAdministrators on their Server Adminlists.    Without the\navailability of an appropriate software tool. it would be too\ntime consuming and of questionable value to inventory all\nsoftware lin use l on individual PCs just prior to the phaseout of\nthose PCs.\n\nTARGET COMPLETION DATE:   March 31. 1993\n\n\nRECOMMENDATION:\n\n5.   The Director of Administration should issue a directive\n     prohibiting the unauthorized copying of copyrighted\n     software. The directive might consist of nothing more than\n     a statement to the effect that "ITC adheres to the tenants\n     of Title 17, U.S.C \xe2\x80\xa2\xe2\x80\xa2 which expressly prohibits unauthorized\n     duplication of copyrighted materials. II\n\n\nRESPONSE    AGREE\n\nWe will forward to the Chai~ for approval an Administrative\nOrder prohibiting the unauthorized copying of copyrighted\nsoftware. This prohibition will subsequently be made a part of\nITC Directive 1360.\n\nTARGET COMPLETION DATE:    September 15, 1992\n\n\n RECOMMENDATION:\n\x0c6.   The Director of Administration should issue the status o\xc2\xa3\n     the disaster recovery (contingency) plan\'s development and\n     take action to see that the project is completed\n     expedit.iously.\nRESPONSE:    AGREE\nThis will be part of an overall emergency recovery plan which\nincludes information security, documents protection, facilities\nprotection and relocation as well as the IRK contingency plans.\nThis is included in the Director of Administration\'s SES work\nplan. Be will give periodic status updates to the Chairman- s\noffice.\nTARGET COMPLETION DATE:   January 1S, 1993\nRECOMMENDATION:\n7.   The Director of Administration should instruct the Director,\n     OXRH, to standardize and document procedures for the routine\n     checking of LAN produced lists and summaries. This should\n     include the procedures currently conducted info~lly by the\n     senior network administrator and OIRH staff to ensure\n     effective internal control as well as any additional tasks\n     OIRM considers necessary.\n     The following additional checks should.be considered for\n     inclusion:\n     - A periodic check of logs to identify unusual cases of\n     unauthorized access attempts.\n     - A periodic check of LAN account Rlast access R dates to\n     identify and explain accounts left idle for long periods of\n     time.\n      - A periodic check of account access privileges to ensure\n      that no individual is allowed inappropriate access rights.\n     At a min~, the procedures should specify an internal\n     control objective and plan for the LAN, the min~um\n     frequency of campletion of the control tasks, and the\n     individual who is responsible for each task. Perfo~ce\n     standards should be altered to reflect these new\n     responsibilities. Third-party software may be available to\n     automate many of these routine, repetitive processes.\n RESPONSE:   AGREE\n OIRK will document the procedures, standards, and     _\n responsibilities for monitoring ehe network, and include the\n additional checks recommended by the Auditors. These will be\n incorporated tDto a standard Internal Control procedure for\n\x0cannual follow-up.\n\nA target completion date of May 28, 1993 has been chosen to al.l.ow\nthe new Chi~f, Office Automation Support Division t~e to became\nfamiliar with his or her duties and responsibilities. The\nChairman approved on August 3, 1992, a waiver to the Commission\'s\nhiring maritorium to fill this position.\n\nTARGET COMPLETION DATE:    May 28, 1993\n\n\nSUGGESTIONS   REGARD~G   OTHER MATTERS FOR CONSIDERATION:\n\n1.   The Director of Administration should instruct the Director,\n     Office of Management Services, to implement a policy of\n     deactivating electronic access keys upon te~ination of\n     employment. All keys belonging to fo~er employees should\n     be deactivated.\n\nRESPONSE:   AGREE\n\nAlthough there were foxmer employees on the access list to the\ncomputer room, their access keys were in a safe under the control\nof the Security Officer in OMS. To maintain the accuracy of the\naccess list the Security Officer is now notifying Kastle Co. to\ndeactivate the keys as they are returned.\n\nTARGET COMPLETION DATE:     Completed\n\n\n2.   The Director of Administration should instruct the Director,\n     OIRM, to upgrade the USITC LAN Training Manual to include,\n     at a minimum, the topics listed under the caption, WNetwork\n     Training. w The manual should also include copies of\n     policies or directives that users might require.\n\nRESPONSE:     AGREE\n\nThe Senior Network Administrator responsible for conducting the\nNetwork Training class, will re-write the manual according to the\nrecommendations in the Inspector General\'s report.\n\nTARGET COMPLETION DATE:     February 26, 1993\n\x0c\x0c'